Computer security Books

Book SynopsisCovering internet security, malware, phishing, and how to combat these serious and growing issues on both desktop and smart phone platforms, this book draws upon state-of-the-art research from industry and academia. The content also describes proven countermeasures using real world examples.Trade Review“For those looking for a book to gain situation awareness about the dangers of the Internet, one is hard pressed to find a better title than The Death of the Internet.” (Word Virus, 17 April 2013) “For those looking for a book to gain situation awareness about the dangers of the Internet, one is hard pressed to find a better title than The Death of the Internet.” (Slashdot, 15 April 2013) “The book includes possible solutions to some of the problems, but the overwhelming appeal of this text is the awareness is provides. Summing Up: Highly recommended. Students of all levels, general readers, and professionals/practitioners.” (Choice, 1 January 2012) Table of ContentsForeword xv Preface xvii Is the Title of this Book a Joke? xix Acknowledgments xxi Contributors xxiii Part I The Problem 1 What Could Kill the Internet? And so What? 3 2 It is About People 7 2.1 Human and Social Issues 7 Markus Jakobsson 2.1.1 Nigerian Scams 8 2.1.2 Password Reuse 9 2.1.3 Phishing 11 2.2 Who are the Criminals? 13 Igor Bulavko 2.2.1 Who are they? 13 2.2.2 Where are they? 14 2.2.3 Deep-Dive: Taking a Look at Ex-Soviet Hackers 14 2.2.4 Let’s try to Find Parallels in the World we Live in 16 2.2.5 Crime and Punishment? 16 3 How Criminals Profit 19 3.1 Online Advertising Fraud 20 Nevena Vratonjic, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux 3.1.1 Advertising on the Internet 20 3.1.2 Exploits of Online Advertising Systems 23 3.1.3 Click Fraud 25 3.1.4 Malvertising: Spreading Malware via Ads 31 3.1.5 Inflight Modification of Ad Traffic 32 3.1.6 Adware: Unsolicited Software Ads 34 3.1.7 Conclusion 35 3.2 Toeing the Line: Legal but Deceptive Service Offers 35 Markus Jakobsson and Ruilin Zhu 3.2.1 How Does it Work? 36 3.2.2 What do they Earn? 36 3.3 Phishing and Some Related Attacks 38 Markus Jakobsson and William Leddy 3.3.1 The Problem is the User 38 3.3.2 Phishing 38 3.3.3 Man-in-the-Middle 39 3.3.4 Man-in-the-Browser 40 3.3.5 New Attack: Man-in-the-Screen 41 3.4 Malware: Current Outlook 42 Members of the BITS Security Working Group and staff leads Greg Rattray and Andrew Kennedy 3.4.1 Malware Evolution 42 3.4.2 Malware Supply and Demand 48 3.5 Monetization 53 Markus Jakobsson 3.5.1 There is Money Everywhere 53 4 How ThingsWork and Fail 57 4.1 Online Advertising: With Secret Security 58 Markus Jakobsson 4.1.1 What is a Click? 58 4.1.2 How Secret Filters are Evaluated 60 4.1.3 What do Fraudsters Know? 62 4.2 Web Security Remediation Efforts 63 Jeff Hodges and Andy Steingruebl 4.2.1 Introduction 63 4.2.2 The Multitude of Web Browser Security Mechanisms 64 4.2.3 Where do we go from Here? 75 4.3 Content-Sniffing XSS Attacks: XSS with Non-HTML Content 75 Juan Caballero, Adam Barth, and Dawn Song 4.3.1 Introduction 75 4.3.2 Content-Sniffing XSS Attacks 77 4.3.3 Defenses 84 4.3.4 Conclusion 89 4.4 Our Internet Infrastructure at Risk 89 Garth Bruen 4.4.1 Introduction 89 4.4.2 The Political Structure 90 4.4.3 The Domain 92 4.4.4 WHOIS: Ownership and Technical Records 94 4.4.5 Registrars: Sponsors of Domain Names 96 4.4.6 Registries: Sponsors of Domain Extensions 97 4.4.7 CCTLDs: The Sovereign Domain Extensions 99 4.4.8 ICANN: The Main Internet Policy Body 100 4.4.9 Conclusion 102 4.5 Social Spam 103 Dimitar Nikolov and Filippo Menczer 4.5.1 Introduction 103 4.5.2 Motivations for Spammers 105 4.5.3 Case Study: Spam in the GiveALink Bookmarking System 108 4.5.4 Web Pollution 114 4.5.5 The Changing Nature of Social Spam: Content Farms 116 4.5.6 Conclusion 117 4.6 Understanding CAPTCHAs and Their Weaknesses 117 Elie Bursztein 4.6.1 What is a Captcha? 117 4.6.2 Types of Captchas 118 4.6.3 Evaluating Captcha Attack Effectiveness 118 4.6.4 Design of Captchas 119 4.6.5 Automated Attacks 124 4.6.6 Crowd-Sourcing: Using Humans to Break Captchas 127 4.7 Security Questions 131 Ariel Rabkin 4.7.1 Overview 131 4.7.2 Vulnerabilities 134 4.7.3 Variants and Possible Defenses 138 4.7.4 Conclusion 139 4.8 Folk Models of Home Computer Security 140 Rick Wash and Emilee Rader 4.8.1 The Relationship Between Folk Models and Security 140 4.8.2 Folk Models of Viruses and Other Malware 142 4.8.3 Folk Models of Hackers and Break-Ins 146 4.8.4 Following Security Advice 149 4.8.5 Lessons Learned 153 4.9 Detecting and Defeating Interception Attacks Against SSL 154 Christopher Soghoian and Sid Stamm 4.9.1 Introduction 154 4.9.2 Certificate Authorities and the Browser Vendors 155 4.9.3 Big Brother in the Browser 157 4.9.4 Compelled Assistance 158 4.9.5 Surveillance Appliances 159 4.9.6 Protecting Users 160 4.9.7 Threat Model Analysis 163 4.9.8 Related Work 166 4.9.9 Conclusion 168 5 The Mobile Problem 169 5.1 Phishing on Mobile Devices 169 Adrienne Porter Felt and David Wagner 5.1.1 The Mobile Phishing Threat 170 5.1.2 Common Control Transfers 172 5.1.3 Phishing Attacks 178 5.1.4 Web Sender⇒Mobile Target 182 5.1.5 Web Sender⇒Web Target 184 5.1.6 Attack Prevention 185 5.2 Why Mobile Malware will Explode 185 Markus Jakobsson and Mark Grandcolas 5.2.1 Nineteen Eighty-Six: When it all Started 186 5.2.2 A Glimpse of Users 186 5.2.3 Why Market Size Matters 186 5.2.4 Financial Trends 187 5.2.5 Mobile Malware Outlook 187 5.3 Tapjacking: Stealing Clicks on Mobile Devices 189 Gustav Rydstedt, Baptiste Gourdin, Elie Bursztein, and Dan Boneh 5.3.1 Framing Attacks 189 5.3.2 Phone Tapjacking 191 5.3.3 Framing Facebook 194 5.3.4 Summary and Recommendations 195 6 The Internet and the PhysicalWorld 197 6.1 Malware-Enabled Wireless Tracking Networks 197 Nathaniel Husted and Steven Myers 6.1.1 Introduction 198 6.1.2 The Anatomy of a Modern Smartphone 199 6.1.3 Mobile Tracking Networks: A Threat to Smartphones 200 6.1.4 Conclusion 219 6.2 Social Networking Leaks 219 Mayank Dhiman and Markus Jakobsson 6.2.1 Introduction 220 6.2.2 Motivations for Using Social Networking Sites 220 6.2.3 Trust and Privacy 221 6.2.4 Known Issues 222 6.2.5 Case Study: Social Networking Leaks in the Physical World 225 6.3 Abuse of Social Media and Political Manipulation 231 Bruno Gon¸calves, Michael Conover, and Filippo Menczer 6.3.1 The Rise of Online Grassroots Political Movements 231 6.3.2 Spam and Astroturfing 232 6.3.3 Deceptive Tactics 233 6.3.4 The Truthy System for Astroturf Detection 236 6.3.5 Discussion 240 Part II Thinking About Solutions 7 Solutions to the Problem 245 7.1 When and How to Authenticate 245 Richard Chow, Elaine Shi, Markus Jakobsson, Philippe Golle, Ryusuke Masuoka, Jesus Molina, Yuan Niu, and Jeff Song 7.1.1 Problem Description 246 7.1.2 Use Cases 247 7.1.3 System Architecture 248 7.1.4 User Privacy 250 7.1.5 Machine Learning/Algorithms 250 7.1.6 User Study 252 7.2 Fastwords: Adapting Passwords to Constrained Keyboards 255 Markus Jakobsson and Ruj Akavipat 7.2.1 The Principles Behind Fastwords 256 7.2.2 Basic Feature Set 258 7.2.3 Extended Feature Set 260 7.2.4 Sample Stories and Frequencies 261 7.2.5 Recall Rates 262 7.2.6 Security Analysis 264 7.2.7 The Security of Passwords 264 7.2.8 Entry Speed 268 7.2.9 Implementation of Fastword Entry 270 7.2.10 Conclusion 271 7.3 Deriving PINs from Passwords 271 Markus Jakobsson and Debin Liu 7.3.1 Introduction 272 7.3.2 A Brief Discussion of Passwords 273 7.3.3 How to Derive PINs from Passwords 274 7.3.4 Analysis of Passwords and Derived PINs 275 7.3.5 Security Analysis 278 7.3.6 Usability Experiments 280 7.4 Visual Preference Authentication 282 Yuan Niu, Markus Jakobsson, Gustav Rydstedt, and Dahn Tamir 7.4.1 Password Resets 282 7.4.2 Security Questions Aren’t so Secure 283 7.4.3 What is Visual Preference-Based Authentication 283 7.4.4 Evaluating Visual Preference-Based Authentication 285 7.4.5 Case Study: Visual Blue Moon Authentication 286 7.4.6 Conclusion 290 7.5 The Deadly Sins of Security User Interfaces 290 Nathan Good 7.5.1 Security Applications with Frustrating User Interfaces 291 7.5.2 The Four Sins of Security Application User Interfaces 293 7.5.3 Consumer Choice: A Security Bugbear 293 7.5.4 Security by Verbosity 299 7.5.5 Walls of Checkboxes 300 7.5.6 All or Nothing Switch 302 7.5.7 Conclusion 304 7.6 SpoofKiller—Let’s Kiss Spoofing Goodbye! 304 Markus Jakobsson and William Leddy 7.6.1 A Key to the Solution: Interrupts 305 7.6.2 Why can the User Log in to Good Sites, but not Bad Ones? 305 7.6.3 What About Sites that are Good . . . but not Certified Good? 308 7.6.4 SpoofKiller: Under the Hood 309 7.6.5 Say we Implement SpoofKiller—then What? 311 7.7 Device Identification and Intelligence 312 Ori Eisen 7.7.1 1995–2001: The Early Years of Device Identification 313 7.7.2 2001–2008 Tagless Device Identification Begins 314 7.7.3 2008—Present: Private Browsing and Beyond 319 7.8 How can we Determine if a Device is Infected or not? 323 Aur´elien Francillon, Markus Jakobsson, and Adrian Perrig 7.8.1 Why Detection is Difficult 323 7.8.2 Setting up an Isolated Environment 324 7.8.3 What Could go Wrong? 326 7.8.4 Brief Comparison with TrustZone 328 7.8.5 Summary 328 8 The Future 331 8.1 Security Needs the Best User Experience 332 Hampus Jakobsson 8.1.1 How the User Won Over Features 332 8.1.2 So How Come the iPhone Became so Successful? 332 8.1.3 A World of Information Anywhere 333 8.1.4 Midas’ Touch Screens 334 8.1.5 New Input, New Opportunities 335 8.1.6 Zero-Click and Real-Life User Interfaces 335 8.1.7 Privacy and User Interfaces 336 8.1.8 It all Comes Together 336 8.2 Fraud and the Future 336 Markus Jakobsson References 339 Index 359

Read more less

Book SynopsisWith the technology changing so rapidly, it is important that businesses carefully consider the available advances and opportunities before implementing cloud computing in their organisations. This title brings together discussion on current approaches to cloud-based technologies and assesses the possibilities for future advances in this field.

Read more less

Book SynopsisIn this new edition of IBM i Security Administration and Compliance, Carol Woodbury provides readers with everything they need to know about IBM i security. The definitive IBM i security reference, this Third Edition expands on the examples in previous editions to provide readers with clear, detailed explanations of current IBM i security features and explains how to implement and audit them.The Third Edition includes a new chapter dedicated to auditors to help them more effectively audit an IBM i (formerly AS/400 and iSeries). It also includes a new chapter containing practical examples of using the Authority Collection feature added in V7R3 and enhanced in V7R4. This new edition provides techniques for using security-related SQL views, guidance for determining what should be sent to your SIEM, methods to determine whether your IBM i has been breached, tips for avoiding malware on your IBM i, and updated examples throughout.Useful for security officers, security and system administrators, compliance officers, and internal and external auditors, the resources available in this book help organizations reduce the risk to the data residing on their IBM i systems and avoid business disruption by helping them protect systems and data from unauthorized access and modification.

Read more less

Book SynopsisIn this long-awaited update to IBM i Security Administration and Compliance, security expert Carol Woodbury tells you everything you need to know about IBM i security. Written in a clear, jargon-free style, this book explains the importance of developing a security policy and gives detailed guidance on how to implement and maintain such a system.

Read more less

Book SynopsisRather than rehashing basic information—such as command syntax—already available in other publications, this book focuses on important security and audit issues, business best practices, and compliance, discussing the important issues in IBM mainframe security. Mainframes are the backbone of most large IT organizations; security cannot be left to chance. With very little training available to the younger crowd, and older, more experienced personnel retiring or close to retiring, there is a need in mainframe security skills at the senior level. Based on real-life experiences, issues, and solutions to mainframe security from the author’s three decades of practical experience as a mainframe security practitioner, this book fulfills that need.

Read more less